> Along the same line (security), has anyone looked deeply into 
> what kind of security issues are opened up by the Squeak browser 
> plug-in?

Yes. Several people have (and not only for Squeak).

> A hacker friend of mine suggests that Squeak will have far, FAR more
> potential security issues than Java has or ever could.

Then your hacker friend doesn't really understand the issue ;-)

By definition, a Smalltalk system runs bytecodes and will go through
primitives to do any I/O like stuff. The I/O stuff is what's critical for
security since if you can't read files from the host system you can't spy
somebody out, if you can't open sockets to some external host you can't send
the credit card number back, if you can't access named primitives from
unvalidated external VM plugins you can't do any uncontrolled things, if you
can't save the image you can't keep any stuff in that may harm you later,
etc. 

So, if the I/O stuff is secured the system is as secure as you want it to
be. The only thing that's relatively easy to do in a Smalltalk system (and a
little harder in Java) is to crash the VM (though this could be made harder
by a VM level code validator). But on any even somewhat recent OS that'll
just throw out Squeak and that's that (hey, that even works on Windows ;-)

  Andreas